Tuesday, November 18, 2025
Latest:

Threatshub.org sponsored-Post

The Register

CISA flags imminent threat as Akira ransomware starts hitting Nutanix AHV

TH Author

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance to organizations on the Akira ransomware operation, which poses an imminent threat to critical sectors.

In an updated advisory produced with the FBI and European law enforcement partners, it said Akira has expanded its capabilities and is now targeting Nutanix AHV virtual machines, an evolution from its previous attacks against VMware ESXi and Hyper-V.

The agencies spotted attacks against Nutanix hypervisors in June, but did not specify the affected organizations, and added that the data informing the advisory is as recent as November 2025.

Critical national infrastructure (CNI) organizations were urged to be on high alert for a new breed of attacks coming from the Russian ransomware outfit as it looks to further its criminal revenues, currently pegged at $244.17 million.

Nutanix’s hypervisors are among the market leaders and are typically used in sectors such as healthcare, finance, and government.

While Akira is typically known for targeting small and medium businesses, its members have also laid claim to attacks on larger organizations.

The advisory stated that the group has previously displayed “a notable preference for organizations in the manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors.”

Akira affiliates are gaining initial access to targets’ networks via bugs in VPN products, but the advisory explicitly cites CVE-2024-40766, a critical vulnerability targeting misconfigured SonicWall SSL-VPNs, as previously revealed by Rapid7.

BitSight researcher Emma Stevens told The Register in September that more than 438,000 vulnerable SonicWall devices were exposed to the web at the time this intel was first disseminated, “representing a significant attack surface.”

By that time, affiliates working for the Akira and Fog ransomware crews had been exploiting the same flaw for around a year, but they use a variety of techniques depending on the target.

“In some instances, they gain initial access through compromised VPN credentials, potentially by using initial access brokers or brute-forcing VPN endpoints,” the advisory stated.

“Additionally, Akira threat actors deploy password spraying techniques, using tools such as SharpDomainSpray to gain access to account credentials. In other incidents, indicators suggest that Akira threat actors gained initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. 

“After tunneling through a targeted router, Akira threat actors exploit publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers (CVE-2023-27532 and CVE-2024-40711).”

After gaining initial access, Akira’s affiliates move laterally across victim networks until they reach Nutanix’s AHV platform, where they deploy encryption payloads.

A successful compromise of these VMs typically leads to business-critical and other sensitive data falling into the wrong hands.

Nick Tausek, lead security automation architect at Swimlane, said the updates from CISA et al are “notable and troubling,” and suggest a sophisticated approach to refining Akira’s operations.

“Akira has advanced to the point where common security protections cannot fully protect users,” he added. “In their recent breach of SonicWall, threat actors were able to bypass victim MFA by compromising one-time password seeds or finding other ways to generate authentication tokens.

“Organizations have to prioritize remediating known exploited vulnerabilities as soon as patches are made available, and keep all operating systems up to date.”

The advisory contains updated indicators of compromise (IOCs) specific to Akira’s latest attacks, complete with recommended mitigations, including those specific to K-12 schools.

Generally speaking, however, the mitigations have not changed significantly from when the document was first published in 2024, and do not substantially differ from those pertaining to other ransomware groups.

The list of mitigations is long, but the usual advice still applies: patch bugs, deploy MFA as widely as possible, enforce strong password policies, maintain backups, and network segmentation are among the actions most often recommended in the context of ransomware defense.

Akira first emerged in 2023 as one of the several offshoots of Conti, and has since steadily maintained its status as one of the leading groups of its kind.

Notable attacks claimed by the group since spinning up include British bath bomb merchant Lush, Stanford University, Finnish IT services provider Tietoevry, and the Toronto Zoo. ®

READ MORE HERE